---
sidebar_label: Login Enforcement
description: >-
  The '/identity/mfa/login-enforcement' endpoint focuses on specifying which MFA methods should be used
  when logging in.
---

## Create a login enforcement

This endpoint creates or updates a login enforcement that specifies which MFA methods should be used when logging into
OpenBao. If there are multiple login enforcements, each one needs to be satisfied before a login attempt  succeeds.

| Method | Path                                    |
| :----- |:----------------------------------------|
| `POST` | `/identity/mfa/login-enforcement/:name` |

### Parameters

- `name` `(string: <required>)` - Name for this login enforcement configuration.

- `mfa_method_ids` `([]string: <required>)` - Array of MFA method UUIDs to use. These will be ORed together, meaning
if several IDs are specified, any one of them is sufficient to login.

- `auth_method_accessors` `([]string: [])` - Array of auth mount accessor IDs. If present, only auth methods
corresponding to the given accessors are checked during login.

- `auth_method_types` `([]string: [])` - Array of auth method types. If present, only auth methods
corresponding to the given types are checked during login.

- `identity_group_ids` `([]string: [])` - Array of identity group IDs. If present, only entities belonging
to one of the given groups are checked during login.

- `identity_entity_ids` `([]string: [])` - Array of identity entity IDs. If present, only entities with the given IDs are checked during login.

Note that while none of `auth_method_accessors`, `auth_method_types`, `identity_group_ids`, or `identity_entity_ids` is
individually required, at least one of those four fields must be present to create a login enforcement.

### Sample payload

```json
{
  "mfa_method_ids": ["134f7ce9-feae-4c6c-9ed7-ab3e413dbfce"],
  "auth_method_accessors": ["auth_userpass_337fdb6a"]
}
```

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo
```

## Read login enforcement

This endpoint reads the login enforcement configuration for a given name.

| Method | Path                                    |
| :----- |:----------------------------------------|
| `GET`  | `/identity/mfa/login-enforcement/:name` |

### Parameters

- `name` `(string: <required>)` – Name of the login enforcement.

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request GET \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

```

### Sample response

```json
{
  "data": {
    "auth_method_accessors": [
      "auth_userpass_337fdb6a"
    ],
    "auth_method_types": [],
    "id": "24167a6c-759a-c596-6d48-391c89c4befc",
    "identity_entity_ids": [],
    "identity_group_ids": [],
    "mfa_method_ids": [
      "c1372abf-bf64-1f26-c2a4-cbcfa135b775"
    ],
    "name": "foo",
    "namespace_id": "root"
  }
}
```

## Delete login enforcement

This endpoint deletes a login enforcement configuration by the given name.

| Method   | Path                                    |
| :------- |:----------------------------------------|
| `DELETE` | `/identity/mfa/login-enforcement/:name` |

### Parameters

- `name` `(string: <required>)` - Name of the login enforcement.

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement/foo

```

## List login enforcements

This endpoint lists login enforcements that are visible.

| Method | Path                              |
|:-------|:----------------------------------|
| `LIST` | `/identity/mfa/login-enforcement` |

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/identity/mfa/login-enforcement

```

### Sample response

```json
{
  "data": {
    "keys": [
      "foo"
    ]
  }
}
```
